Last modified: 2011-04-14 15:14:27 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T23249, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 21249 - Add configuration setting to disable script detection during upload
Add configuration setting to disable script detection during upload
Status: NEW
Product: MediaWiki
Classification: Unclassified
Uploading (Other open bugs)
1.16.x
All All
: Low enhancement (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-10-23 08:43 UTC by Kelson [Emmanuel Engelhart]
Modified: 2011-04-14 15:14 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Kelson [Emmanuel Engelhart] 2009-10-23 08:43:46 UTC 
Seems that the method detectScript() returns false positives: valid JPG files are rejected.

Here is an example:
http://upload.wikimedia.org/wikipedia/commons/3/3e/Mozart_magic_flute.jpg

I'm not able to upload this image (url) on my own Mediawiki instance (trunk).
I always get the 'uploadscripted' error.

I think the comment in the JPG file deceives the PHP code.
Comment 1 Andrew Garrett 2009-10-23 08:45:34 UTC 
Yes, Internet Explorer interprets valid JPG files as scripts. That's the problem. We must mimic IE's behaviour in order to protect against Cross-Site Scripting attacks.
Comment 2 Kelson [Emmanuel Engelhart] 2009-10-23 09:14:35 UTC 
I work with a picture source which I trust and have currently to hack the code to avoid this check.
Is that an option to add a config. parameter to allow the deactivation of all this security check by image upload?
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links